Ubisoft stoppers Uplay plug-in hole

Ubisoft stoppers Uplay plug-in hole

Summary: Games developer Ubisoft has patched a serious vulnerability in a plug-in for its Uplay DRM software that could have allowed a hacker to take remote control of a user's computer


Games company Ubisoft has patched a serious vulnerability that could have allowed a hacker to take over a victim's computer.

Ubisoft has patched a hole in its Uplay browser plug-in. Image credit: Ubisoft

The flaw lay in a browser plug-in for Uplay, Ubisoft's in-game rewards and connection system, and could have allowed a malicious website to take control of a victim's computer, the company said.

The hole, found by Google security researcher Tavis Ormandy, was patched on Monday.

"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today," Ubisoft said in a statement. "We recommend that all Uplay users update their Uplay PC application without a web browser open. This will allow the plug-in to update correctly."

"The browser plug-in that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made," the company added. "This weakness could allow the application to specify any executable to run, rather than just a game."

An updated version of the Uplay PC installer with the patch is also available from Uplay.com, the company said.

The patch will also update users' clients to Uplay version 2.0.4.

Ubisoft denied reports that Uplay contained a rootkit - a piece of software created to stealthily allow access to a computer.

"The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilises which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games," said the company.

Companies are coming under increasing pressure to allow employees to use their own computing devices, a trend known as 'BYOD', or 'bring your own device'. BYOD brings vulnerabilities introduced into home devices, for example through gaming platforms, into the sphere of enterprise concerns.

Topics: Security, Consumerization

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ubisoft stoppers Uplay plug-in hole

    Ubisoft "stoppers" Uplay plug-in hole.

    Title makes no sense
    • Sure it does.

      Stopper means "To plug a hole". As in you stopper your sink.
  • How did you manage to spin this...

    ...as a BYOD story? It's got nothing to do with that. If you're going to include a bug in UPlay as a BYOD story, than you should make a story every time any program gets a bug ever.